Implementing access control by system-on-chip

ABSTRACT

Systems and methods for implementing access control by systems-on-chip (SoCs). An example SoC may comprise an access control unit employed to: receive a message comprising an access control data item; validate the message using a value of a message digest function of contents of the message and a value of a state variable reflecting a state of communications between the access control unit and a programming agent that has initiated the message, wherein the value of the state variable is derived from a previous value of the message digest function calculated within a current communication session between the access control unit and the programming agent; update the state variable using the value of the message digest function of the contents of the message; and control, using the access control data item, access by an initiator device to a target device.

RELATED APPLICATIONS

This application is a continuation-in-part of PCT Patent Application No. PCT/US15/13095filed on 27 Jan. 2015, which claims the priority benefit of U.S. Provisional Patent Application No. 61/932,187 filed on 27 Jan. 2014, U.S. Provisional Patent Application No. 61/948,504 filed on 5 Mar. 2014, and U.S. Provisional Patent Application No. 62/045,942 filed on 4 Sep. 2014. The entire contents of the above referenced applications are incorporated by reference herein. This application also claims the priority benefit of U.S. Provisional Application No. 62/084,940, filed 26 Nov. 2014.

TECHNICAL FIELD

The present disclosure is generally related to computer systems, and is more specifically related to implementing access control functionality by systems-on-chip (SoCs).

BACKGROUND

A system-on-chip (SoC) may include one or more processor cores and/or other initiator devices communicating via one or more shared interconnects to various target devices (e.g., memory, storage, and/or peripheral devices). The shared interconnect-based architecture is inherently prone to malicious attacks against the control mechanisms that manage access to target devices by initiator devices communicatively coupled to the shared interconnect.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of examples, and not by way of limitation, and may be more fully understood with references to the following detailed description when considered in connection with the figures, in which:

FIG. 1 schematically illustrates a functional block diagram of an example SoC operating in accordance with one or more aspects of the present disclosure;

FIGS. 2A-2C schematically illustrate various locations of the access control unit within the SoC operating in accordance with one or more aspects of the present disclosure;

FIG. 3 schematically illustrates a programming sequence transmitted to an access control unit by a reprogramming agent, in accordance with one or more aspects of the present disclosure;

FIGS. 4A-4C schematically illustrate examples of calculating a cryptographic hash value of a programming sequence based on a cryptographic key and a state variable, in accordance with one or more aspects of the present disclosure;

FIGS. 5A-5B schematically illustrates an example of defining a state variable that reflects the state of communications between a programming agent and an access control unit, in accordance with one or more aspects of the present disclosure;

FIGS. 6A-6B schematically illustrate validating, by an access control unit, the session key value in accordance with one or more aspects of the present disclosure;

FIG. 7 schematically illustrates an example circuitry that may be employed for implementing the functions of a reset module of an access control unit, in accordance with one or more aspects of the present disclosure.

FIG. 8A schematically illustrates validating, by an access control unit, the integrity of a programming sequence, in accordance with one or more aspects of the present disclosure;

FIG. 8B schematically illustrates an example access control rule, in accordance with one or more aspects of the present disclosure;

FIG. 9 schematically illustrates validating, by an access control unit, the contents of the secure memory storing the access control data, in accordance with one or more aspects of the present disclosure;

FIGS. 10A-10B schematically illustrate examples of initializing the access control data by firmware as part of the boot sequence of an example SoC, in accordance with one or more aspects of the present disclosure;

FIG. 10C schematically illustrates an example of storing, by an access control unit, the static access control data items programmable by firmware and the run-time programmable access control data items in separate memory locations, in accordance with one or more aspects of the present disclosure;

FIG. 11 schematically illustrates an example SoC comprising two or more access control units operating in accordance with one or more aspects of the present disclosure;

FIGS. 12A-12B schematically illustrate various examples of access control rules, in accordance with one or more aspects of the present disclosure;

FIGS. 13A-13B schematically illustrate various examples of overlapping and non-overlapping memory ranges used to define access control rules, in accordance with one or more aspects of the present disclosure;

FIGS. 14A-14D and 15 depict flow diagrams of example methods for authenticating incoming messages by access control units operating in accordance with one or more aspects of the present disclosure;

FIG. 16 depicts a flow diagram of an example method for validating the contents of a secure memory storing access control data, in accordance with one or more aspects of the present disclosure;

FIG. 17 illustrates a high-level component diagram of a video processing system comprising an access control unit operating in accordance with one or more aspects of the present disclosure.; and

FIG. 18 illustrates a diagrammatic representation of a computing device which may incorporate the SoC described herein and within which a set of instructions, for causing the computing device to perform the methods described herein, may be executed.

DETAILED DESCRIPTION

Described herein are systems-on-chip (SoCs) implementing access control and methods for implementing and securing access control by SoCs. In particular, described are circuitry, software, and/or firmware for authenticating incoming messages comprising access control data and for validating and maintaining the integrity of the access control data stored by access control units.

A SoC may include one or more processor cores and/or other initiator devices communicating via one or more shared interconnects to various target devices (e.g., memory, storage, and/or peripheral devices). In certain implementations, a SoC may further comprise an access control unit (e.g., a firewall) that may be configured to control access to various target devices based on pre-defined and/or run-time programmable access control data (e.g., a set of access control rules). The access control unit may be programmed by an on-chip or an external programming agent that may transmit messages comprising access control data items (e.g., access control rules).

A programmable access control unit may become a target of various attacks involving malicious modifications of the access control data stored by the access control unit, replaying previously sent programing messages, fault injection or glitching by disrupting execution of one or more instructions by an external disturbance, and/or various other methods.

A SoC may be configured to authenticate incoming programming messages using a message digest function (e.g., a cryptographic hash function) that provides a digital signature to allow the hardware being reprogrammed to confirm the identity of the source of the programming sequence. A message digest function can be implemented by a non-invertible function that allows decrypting, using a first key of a key pair, a message that has been encrypted using a second key of the key pair. Examples of message digest functions include RSA cipher functions based on factorization of large prime numbers, cryptographic functions based on elliptic curves, and cryptographic hash functions. In certain implementations, a message digest function may be implemented by a cryptographic hash and one or more cryptographic keys shared between an authorized programming agent and a programmable hardware functional unit, as described in more details herein below.

In certain implementations, a SoC may be further configured to validate the integrity of the access control data stored by the access control unit by comparing a stored reference value with a value of a cryptographic hash function of the access control data calculated by the access control unit.

In various examples, initiator devices may be represented by on-chip or off-chip central processing units (CPUs), graphical processing units (GPU), cryptographic cores, etc. Target devices may be provided by on-chip or off-chip memory devices, storage devices, various input/output (I/O) devices, etc.

In certain implementations, the SoC may comprise a network-on-chip (NoC) and the access control unit may be provided by a filtering firewall configured to enforce the access control policy while transporting data frames and/or electric signals between various initiator and target devices. Alternatively, the access control unit may be implemented by a memory management unit (MMU) configured to enforce access control based on the access control data while translating addresses from one address space into another address space (e.g., virtual addresses to physical addresses).

The systems and methods described herein may be implemented by hardware (e.g., general purpose and/or specialized processing devices, and/or other devices and associated circuitry), software (e.g., instructions executable by a processing device), or a combination thereof. Various aspects of the methods and systems are described herein by way of examples, rather than by way of limitation.

FIG. 1 schematically illustrates a functional block diagram of an example SoC 100 operating in accordance with one or more aspects of the present disclosure. The example SoC 100 comprises an interconnect 110 to which one or more initiator devices 120 and one or more target devices 130 may be coupled. The interconnect 110 comprises an access control unit 140 configured to control access by the initiator devices to the target devices in order to allow or disallow access and sharing of various resources of the target devices by the initiator devices. The access control may be performed in view of programmable access control data that may be received from a programming agent 150 via a programming interconnect 160. The programming agent 150 may calculate a cryptographic hash 210 of a programming sequence to be transmitted to the access control unit 140. The cryptographic hash 210 may be calculated using a certain cryptographic hash function of a state variable 260 and a cryptographic key 240 that may be shared with the access control unit 140. The access control unit 140 may validate the received programming sequence by calculating the cryptographic hash of the programming sequence using the cryptographic hash function and the shared cryptographic key 240, as described in more details herein below with references to FIG. 3.

In various illustrative examples, the access control unit 140 may be coupled to the interconnect 110 on the initiator device or the target device side.

In the illustrative example of FIG. 1, the interconnect 110 is represented by a network-on-chip (NoC), and the access control unit 140 is represented by a firewall configured to enforce an access control policy while transporting data frames and/or electric signals between a plurality of initiator devices and a plurality of target devices. In another illustrative example, the access control unit may be implemented by a memory management unit (MMU) configured to enforce access control based on the access control data comprising one or more address translation rules, while translating virtual addresses to physical memory addresses on various target devices.

In various illustrative examples, one or more access control units 140 may be placed in various locations, including at the ingress of the interconnect 110, within the interconnect 110, or at the egress of the interconnect 110, as described in more details herein below with references to FIGS. 2A-2C. In various illustrative examples, each access control unit 140 may service one or more initiator devices and/or manage addresses targeted at one or more target devices.

In certain implementations, the access control units 140A-140B may be placed near the initiator devices 120A-120C at the ingress of the interconnect 110, as schematically illustrated by FIG. 2A. Placing the access control units at the ingress of the interconnect allows the access control units to combine the access control and other address-related functions such as memory management (e.g., translating addresses from one address space into another address space and/or allowing the addresses on one side of the memory management unit appear contiguous while distributing the addresses through the memory space on the other side of the memory management unit).

Alternatively, the access control units 140A-140B may be placed within the interconnect 110, so that access control may be enforced as the traffic is routed through the interconnect 110, as schematically illustrated by FIG. 2B. In the example of FIG. 2B, the access control units 140A-140B may enforce access control with respect to requests that are initiated by one or more initiators 120A-120C and routed through the interconnect 110, and/or manage addresses within the address spaces of one or more targets 130A-130C that are accessible through the interconnect 110.

Alternatively, the access control units 140A-140B may be placed near the target 130A-130C at the egress of the interconnect 110, as schematically illustrated by FIG. 2C. In the example of FIG. 2C, the access control units 140A-140B may enforce access control for requests initiated by one or more initiators 120A-120C with respect to one or more targets that are accessible through the interconnect 110, and/or manage addresses within the address spaces of one or more targets 130A-130C that are accessible through the interconnect 110.

In certain implementations, the above described topologies may be combined so that various paths between certain initiator 120 and target 130 devices are managed by a one or more access control units 140 that are located at the ingress of the interconnect 110, within the interconnect 110, and/or at the egress of the interconnect 110.

The access control policy that is implemented by one or more access control units 140 may comprise a plurality of access control rules. In certain implementations, an access control rule may comprise an identifier of the initiator device, an identifier of the target device, a target device address range, access permissions, and/or an access authorization type. An access control rule may further comprise the required security state or level of secure execution required by an initiator to authorize the requested access. The access control policy may further indicate that certain rules are modified when the system is in a debug or higher privilege mode.

In various illustrative examples, identifiers of the initiator and target devices may be represented by a network address or by an identifier from an arbitrarily selected name space. In certain implementations, a device (initiator or target) identifier may identify two or more devices. The target device address range may be represented by a starting address, a block size, and/or a range selector for specifying non-contiguous ranges, as described in more details herein below. The access permissions may be specified by a set of flags designating read, write, required security level and/or execute permissions. The access authorization type may specify whether the rule “allows” or “denies” access by the initiator(s) to the target(s).

The access control unit 140 may receive from the programming agent 150, via a programming interconnect 160, a programming sequence comprising one or more access control data items (e.g., one or more access control rules). In various illustrative examples, the programming agent 150 may be represented by an on-chip or off-chip agent communicatively coupled to the access control unit 140. The access control unit 140 may comprise a secure memory 170 for storing the access control data (e.g., a set of access control rules).

In accordance with one or more aspects of the present disclosure, the access control unit 140 and the programming agent 150 may share a cryptographic key that may be used for authentication of programming sequences transmitted by the programming agent 150. The cryptographic key may be obtained by the access control unit 140 and the programming agent 150 from an on-chip or off-chip key management system (KMS) (not shown in FIG. 1). In certain implementations, the cryptographic key may be valid for a single use, a single session, or a certain period of time, upon expiration of which a new cryptographic key will need to be generated.

As schematically illustrated by FIG. 3, the programming agent may calculate a cryptographic hash 210 of a programming sequence 220 using a certain cryptographic hash function 230 of a state variable 260 and a cryptographic key 240 that may be shared with the access control unit 140. The programming agent 150 may then transmit to the access control unit 140 of FIG. 1, via the programming interconnect 160, a message 360 comprising the programming sequence 220 and the cryptographic hash 210. Responsive to receiving the message 360, the access control unit 140 may calculate the cryptographic hash of the programming sequence 220 using the cryptographic hash function and the shared cryptographic key 240. Should the calculated cryptographic hash match the cryptographic hash 210 received with the programming sequence 220, the programming sequence may be used by the access control unit for updating the access control data stored in the secure memory 170. Otherwise, if the calculated cryptographic hash differs from the cryptographic hash 210 received with the programming sequence 220, a security or programming error may be signaled, and the programming sequence 220 may be discarded.

The method of communication between the programming agent 150 and one or more access control units 140 may employ both static or limited use secrets (e.g., keys) as well as variable secrets (e.g., state variables) that change over time to prevent an attacker from using a previously transmitted sequence in an attempt to restore the access control unit to a previous state. In certain implementations, the cryptographic hash function 230 of FIG. 3 may be provided by a Secure Hash Algorithm (SHA) compliant function, as schematically illustrated by FIG. 4A. The cryptographic hash 210 may be represented by a keyed-hash message authentication code (HMAC) produced by a SHA-compliant function 320 of a SHA initialization value 225 and a concatenation of a cryptographic key 240 (also referred to as the session key), a state variable 260, message 360, and padding bits 330. In certain implementations, the message 360 may comprise the target register content and the target register address of the access control unit 140. Thus, the digital signature of the message 360 may be calculated as follows:

Digital Signature=HMAC_(SessionKey)(Register_content[127:01]∥ Register_address[3:0]∥ state_variable[15:0]∥ padding), wherein ∥refers to the bit concatenation operation and the numbers in the square brackets indicate the bit positions of the corresponding variable.

The state variable 260 reflects the state of communications between the programming agent 150 and the access control unit 140 of FIG. 1. Calculating the cryptographic hash value of the programming sequence based on both the cryptographic key and the state variable may prevent replay attacks in which a malicious third party may intercept and then attempt to replay a message being transmitted by the programming agent to the access control unit. The state variable value may be synchronized by the programming agent and the access control unit at the beginning of each session (e.g., within the boot sequence of the SoC 100 of FIG. 1), and then may be independently updated (e.g., as described herein below) by each party based on the previous value and the actual state of the access control data stored by the access control unit. Employing a state variable allows the message recipient to detect a message replay attempt by determining that the state variable associated with the message has not been properly updated.

In the illustrative example of FIG. 4A, the message has a pre-defined size (e.g., 256 bits), and the concatenation of the cryptographic key 240, state variable 260, and the message 360 is padded to the pre-defined size by padding bits 330. For larger messages, the cryptographic function 320 may be applied to each of several parts of the original message, and then a resulting hash may be calculated based on those intermediate hash values.

In certain implementations, the cryptographic hash 210 may be represented by a keyed-hash message authentication code (HMAC) produced by cascading the results of applying a SHA-compliant function 320 to the message 360, the cryptographic key 240, and the state variable 260, as schematically illustrated by FIG. 4B. The concatenation of the cryptographic key 240, the state variable 260, and the message 360 may be padded to the pre-defined size by padding bits 330. For larger messages, the SHA operation may be applied to each of several parts of the original message, and then a resulting hash may be calculated based on those intermediate hash values.

In certain implementations, the state variable may be defined by a non-linear function of one or more parameters. In the illustrative example of FIG. 5A, the state variable may be defined by applying a function 400 to the previous value 410 of the state variable, a cryptographic key 415, and a hash 420 of the contents of the secure memory storing the access control data. A selection function can be used to select a portion or reduction of the previous state to determine the contribution to the next state.

In certain implementations, the cryptographic hash 210 may be truncated so that only a certain number of lower bits are used as the cryptographic signature of the message 360. In an illustrative example, the cryptographic signature may comprise the lower 128 bits of the cryptographic hash 210, as schematically illustrated by FIG. 5B. At least part of the remaining bits may be used to update the value of the state variable that would be used for computing the digital signature of the next message 360. In the illustrative example of FIG. 4C, the state variable may be updated using bits 128-143 of the cryptographic hash 210, and the remaining bits (i.e., bits 144-25) of the cryptographic hash 210 may be discarded. By using this method of updating the state variable, the value of the state variable is derived from the previous value of the cryptographic hash 210 calculated within the current communication session (e.g., since the last reset of the access control units 140), thus reflecting the history of all programming operations within the current communication session:

state_variable (k)=f(state_variable(k-1), . . . , state_variable(1), state_variable(0)), wherein k is the number of the programming operation with respect to the access control units 140 within the current communication session.

The same set of cryptographic keys may be used for all copies of a given system, or a unique set of keys may be used for each device and system. Cryptographic keys may be provisioned by a hardware-based and/or software-based key management system. In a hardware-based key management system, cryptographic keys associated with one or more access control units may be received from an on-die hardware module or derived from one or more keys received from the on-die hardware module. The software developer or system manufacturer may possess a cryptographic key associated with one or more access control units and utilize the key for transactions associated with those access control units. Alternatively, the hardware key management system may provide the cryptographic key to both the software providing the signature and the access control unit.

In a software-based key management system, a dedicated software function may create, store, or generate cryptographic keys and provide the keys to the access control unit to bind the software and hardware. The keys may be generated as random values and may be delivered through a dedicated key bus or through a register that is written once and then cannot be written again until it is reset, so that an attacker or rogue code would not be able to modify the cryptographic keys.

The cryptographic keys may be used for a single session following the system boot or for a certain period of time. This is often referred to as a “session key” since it used once for one session of operation and discarded on the next reboot or reset. In an illustrative example, the integrity of the session key may be validated for every programming sequence (i.e., for every message 360 received from a programming agent).

In certain implementations, the cryptographic hash 210 may be represented by a keyed-hash message authentication code (HMAC) produced by cascading the results of applying a SHA-compliant function 320 to the message 360, the cryptographic key 240, and the state variable 260, as schematically illustrated by FIG. 4C. As the first round 412 of calculating the HMAC signature may comprise calculating a value of a SHA-compliant function of the session key, the output of the first round 412 may be employed for validating the session key integrity, by comparing the session key digest 414 produced by the first round 412 with a stored value of the session key signature, as described in more details herein below with reference to FIG. 6B.

In certain implementations, the access control unit 140 may receive the session key value via an I/O interface during the startup or reset sequence, and may validate the received session key by comparing the received session key signature with a value of a the session key digest computed using a hardcoded key value, as described in more details herein below with reference to FIG. 6A.

In certain implementations, the access control module 140 may comprise a programming interface module 621 implementing a programming finite state machine. Upon startup or reset of the access control unit 140, registers 612 and 615 may be initialized by their default values: the key register 612 may be initialized by the value of NETLIST_KEY, and the key digest register 615 may be initialized by the value of NETLIST_KEY_DIGEST; the state variable register 617 storing the value of the state variable employed to validate the programming sequence may be initialized to its default value (e.g., 0x0000), as schematically illustrated in FIG. 6A by the arrows labeled with the text prefixed with “0.” The default values NETLIST_KEY and NETLIST_KEY_DIGEST may be permanently stored in secure memory locations within the access control unit 140 at the device manufacturing stage.

The programming sequence may be initiated by the I/O interface 622, which may, responsive to receiving from the software the values of the session key, the session key address, and the session key signature, store the three received values in the transition buffer 624, target address register 626, and transition buffer 628, respectively, as schematically illustrated in FIG. 6A by the arrows labeled with the text prefixed with “1.”

The programming interface 621 may continue the programming sequence by computing the digest of the received session key value and storing the computed session key digest in the transition key digest register 616, as schematically illustrated in FIG. 6A by the arrows labeled with the text prefixed with “2”-“4.” The programming interface 621 may employ the HMAC computation unit 619 the HMAC to compute the HMAC value of the received values of the session key, the session key address, and the state variable, as schematically illustrated in FIG. 6A by the arrows labeled with the text prefixed with “3” and “4”:

Digital Signature=HMAC_(NetlistKey)(Session_key_value ∥ Session_key_address ∥ state_variable ∥ padding)

NETLIST_KEY value is used as the key value for computing the HMAC, and the state variable register 617 is initialized to its default value (e.g., 0x0000), as this is the first HMAC computation performed by the access control unit 140 after a reset.

As the first round of calculating the HMAC signature may comprise calculating a value of a SHA-compliant function of the NETLIST_KEY, the output of the first round may be employed for validating the stored value of NETLIST_KEY, by employing the key integrity checker 623 to compare the NETLIST_KEY digest produced by the first round with a stored value of NETLIST_KEY_DIGEST 615, similar to the validation of the session key within each programming sequence, as described in more details herein above with reference to FIG. 4C.

The programming interface 621 may continue the programming sequence by comparing the calculated HMAC value with the received session key signature value, which has been previously stored in the transition buffer 628, as schematically illustrated in FIG. 6A by the arrows labeled with the text prefixed with “5.” In certain implementations, the comparison operation may be performed twice, to ensure that the calculated HMAC value would not be modified by an intervening event.

Should the double comparison operation be successful, the state variable register 617 may be updated using bits 128-143 of the calculated HMAC value, as described in more details herein above with reference to FIG. 5B; the session key value that has been previously stored in the transition buffer 624 may be copied to the key register 612, and the session key digest value that has been previously stored in the transition buffer 616 may be copied to the current key digest register 615, as schematically illustrated in FIG. 6A by the arrows labeled with the text prefixed with “6.” Upon completing these operations, the access control unit 140 is ready to received programming messages from programming agents 150.

As noted herein above, the access control unit 140 may validate an incoming access control programming message comprising an access control data item and a digital signature, by computing, using the session key value, a cryptographic hash function of the contents of the access control programming message and comparing the computed HMAC value with the received digital signature. In certain implementations, the output of the first round of calculating the HMAC signature may be employed for validating the session key integrity, by comparing the session key digest produced by the first round with a stored value of the session key signature, as described in more details herein below with reference to FIG. 6B.

As schematically illustrated by FIG. 6B, responsive to completing the above described key initialization sequence, the session key value is stored in the key register 612, and the session key digest value is stored in current key digest register 615, as schematically illustrated in FIG. 6A by the arrows labeled with the text prefixed with “0.” The programming sequence may be initiated by the I/O interface 622, which may, responsive to receiving from the software the values of the access control item, the access control item target address, and the access control item digital signature, store the three received values in the transition buffer 624, target address register 626, and transition buffer 628, respectively, as schematically illustrated in FIG. 6B by the arrows labeled with the text prefixed with “1.”

The programming interface 621 may then employ the HMAC computation unit 619 the HMAC to compute the HMAC value of the received values of the access control item, the access control item target address, and the state variable, as schematically illustrated in FIG. 6B by the arrows labeled with the text prefixed with “3” and “4”:

Digital Signature=HMAC_(sessionKey)(Access_control_item_value∥Access_control_item_address∥state_variable∥padding)

As the first round of calculating the HMAC signature may comprise calculating a value of a SHA-compliant function of the session key, the output of the first round may be employed for validating the stored value of the session key, by employing the key integrity checker 623 to compare the session key digest produced by the first round with a stored value of the session key signature 615, similar to the validation of the session key within each programming sequence, as described in more details herein above with reference to FIG. 4C.

The programming interface 621 may continue the programming sequence by comparing the calculated HMAC value with the received digital signature value, which has been previously stored in the transition buffer 628, as schematically illustrated in FIG. 6B by the arrows labeled with the text prefixed with “5.” In certain implementations, the comparison operation may be performed twice, to ensure that the calculated HMAC value would not be modified by an intervening event.

Should the double comparison operation be successful, the state variable register 617 may be updated using bits 128-143 of the calculated HMAC value, as described in more details herein above with reference to FIG. 5B; the access control item value that has been previously stored in the transition buffer 624 may be copied to the target register 617 identified by the access control item target address value that has been previously stored in the transition buffer 626, thus completing the programming sequence, as schematically illustrated in FIG. 6B by the arrows labeled with the text prefixed with “6.”

As noted herein above, the initialization session key and session key digest values (NETLIST_KEY and NETLIST_KEY_DIGEST respectively) may be may be permanently stored in secure memory locations within the access control unit 140 at the device manufacturing stage. To support the post-production testing, the access control unit 140 may be configured to enter the testing mode responsive to detecting the assertion of a dedicated test_mode signal. In certain implementations, the access control unit 140 may be further configured to allow the internal register scanning responsive to detecting the assertion of a dedicated scan_en signal. To prevent the contents of the protected registers storing the session key value and the session key digest value from being scanned in the testing mode, the access control unit may comprise a reset module 700 configured to clear the protected registers upon entering the test mode, as schematically illustrated by FIG. 7. In certain implementations, the reset module may be further configured to clear the secure memory that is employed to store the access control items and to load the protected registers with their initialization values upon transitioning back to the functional mode.

FIG. 7 schematically illustrates an example circuitry that may be employed for implementing the functions of the reset module 700, in accordance with one or more aspects of the present disclosure. In various implementations, additional and/or different logical circuitry may be employed. In the illustrative example of FIG. 7, the reset module 700 may comprise an edge detector driven by scan_enter 710 and test_mode signals 712. The edge detector, comprising several D flip-flops 762, 764, 766, and 768 and several logical function units 750, 752, 754, 756, 758, and 760 may output a pulse responsive to detecting the change (assertion or de-assertion) of the test_mode signal 712. In an illustrative example, ca_scan_enter signal 720 may be asserted responsive to detecting the rising edge of the test_mode signal 712 (entering test mode), and ca_scan_exit signal 722 may be asserted responsive to detecting the rising edge of the test_mode signal 712 (exiting test mode).

The ca_scan_enter signal 720 may drive the circuitry (not shown in FIG. 7) employed to clear the protected registers upon entering the test mode.

The ca_scan_exit signal 722 may drive the circuitry (not shown in FIG. 7) employed to clear the secure memory that is employed to store the access control items and to load the protected registers with their initialization values upon transitioning back to the functional mode.

In certain implementations, the reset module 700 may be further configured to assert the reset signal ca_rstn 726 responsive to detecting the assertion of the input signal RstN 716, upon ascertaining that the access control unit is currently in the functional mode. In the test mode, the reset signal ca_rstn 726 is kept de-asserted irrespectively of the state of the input signal RstN 716, thus preventing the access control unit 140 from being reset while in the test mode.

The reset module 700 may be further configured to assert the scan signal ca_scan_en 718 responsive to detecting the assertion of the input signal scan_en 710, upon ascertaining that the access control unit is currently in the test mode. In the test mode, the scan signal ca_scan_en 718 is kept de-asserted irrespectively of the state of the input signal scan_en 710, thus preventing the access control unit 140 from being scanned while in the functional mode.

In various implementations, the reset module 700 may implement additional functions directed at protecting the contents of the key registers and/or the secure memory that is used for storing the access control data items.

Besides validating the programming messages, the access control unit 140 of FIG. 1 may, in certain implementations, be further configured to perform an integrity check to validate and detect modification of the contents of the secure memory 170 storing the access control data (e.g., the firewall rule set), in an attempt to prevent fault injection attacks or glitching attacks implemented by disrupting execution of one or more instructions by an external disturbance or otherwise modifying the value stored in the secure memory 170 through an electrical, optical or other type of disturbance.

In an example illustrated by FIG. 8A, the integrity check may be performed by a lightweight hash calculation module 614 calculating a lightweight hash function (e.g., a cyclic redundancy check (CRC16)) of the contents of one or more regions 608 of the secure memory 170 using (in certain cases of the selected lightweight hash function) a cryptographic key 618 and, optionally, the contents of one or more configuration registers 622 of the access control unit 140 of FIG. 1. Using a lightweight hash function enables a full parallelization of the code so that one or more access control rules will be validated at each access.

In an example illustrated by FIG. 8B, the secure memory 170 may store one or more access control data items (e.g., firewall rules) 602. Each access control data item 602 may comprise a 16-bit CRC hash 633 of fields 646, 644, 642, 640, 638, 636 and 634, to be used during the integrity check. Additional fields, such as filed 632, may be added to the hash, except for field 633 (otherwise a feedback loop would occur). Field 632 comprises reserved bits that may be used to store additional parameters relating to the memory region. Fields 636 and 634 represent the initial and final address that the memory region spans. Fields 644, 642,640 and 638 represent decoded access rights of 16 initiators, respectively: non-secure read, non-secure write, secure read and secure write: one bit per initiator asserting access rights. Field 646 deactivates the region when asserted to 1 and may in certain implementations be encoded on several bits to improve fault resistance.

Responsive to receiving an access request 540 from an initiator device, the access control unit 140 may calculate a signing (e.g., a hash) value 510 of the contents of one or more regions of the secure memory 170 and compare the calculated cryptographic hash with a reference cryptographic hash 520 stored in a secure register or along with the secure memory region, as schematically illustrated by FIG. 9. The reference cryptographic hash 520 may be updated responsive to detecting a legitimate modification of the contents of the secure memory 170, hence a difference between the calculated cryptographic hash 510 and the stored reference cryptographic hash 520 may indicate an unauthorized modification of the contents of the secure memory 170. Responsive to detecting an unauthorized modification of the contents of the secure memory 170, the access control unit 140 may signal a configuration error 530. In various illustrative examples, the above described validation of the contents of the secure memory 170 storing the access control data may be performed periodically (e.g., at a certain time interval) or responsive to a certain triggering event (e.g., responsive to receiving, from an initiator device, an access request 540 for access to a target device).

The access control unit 140 may process the access request 540 by the access rights validator 144 that may parse the request packet and validate the access rights by decoding one or more firewall configuration rules stored in the secure memory 170.

In addition to protecting the contents of the secure memory 170, the access control unit 140 may further comprise a control logic configured to detect or prevent the update of the memory 170 form being interrupted or avoided by a glitch or fault. A glitch-based based attack is a method for violating the security of a hardware block by disrupting the execution of one or more data paths or assignments. For example, the attacker may apply a high-speed external disturbance or increase the internal clock frequency at the precise moment when a comparison or a sensitive assignment is about to be executed, thus effectively blocking the register assignment or update, perhaps bypassing a critical operation, such as a hash comparison, or even bypassing the whole hashing operation.

In certain implementations, the access control unit 140 may implement a Finite State Machine (FSM) that controls the different hardware states of the access control unit, comprising, for example, the states associated with the operations of receiving a programming message, validating the programming message, storing the received access control data in a secure memory, and controlling the access using the access control data, as described in more details herein below with references to blocks 1310, 1320, 1330, and 1340 of FIG.13.

The FSM states may be binary encoded in such a way that any transition from a given state to another will have a change on at least 2 bits (Hamming distance exceeding 1) of the register containing the actual state value. For example, in the case of having a Hamming distance equal to 2, the attacker would need to induce two faults in the current-state register to jump the state. Since not all state encodings are actually used, even changing two bits on the current-state register might lead to an invalid state jump. All illegal states lead to a hardware interrupt or alarm that, for example, resets the access control unit.

In certain implementations, the access control unit 140 may further implement a hardware block that constantly monitors the state changes. This block may be used in conjunction with the above described state encoding. Even if a glitching attack occurred and the register has jumped to a valid state, the hardware monitor can detect it by comparing the last state to the current state. Before the error was induced, the last-state register had a Hamming distance of 2 compared to the current-state register. By inducing errors on the current state register, the Hamming distance to the last state register increases and can be verified by the hardware monitor. Moreover, the hardware monitor can also check that the next-state register is assigned correctly by verifying that the current-state register has a state that is allowed to go to the next-state value.

In certain implementations, the access control data stored by access control unit 140 in the secure memory 170 may comprise a fixed part that may be programmed by firmware as part of the boot sequence of SoC 100, and may further comprise a run-time programmable part that may be received from the programming agent 150 at runtime, as described in more details herein above. As schematically illustrated by FIG. 10A, a pre-computed sequence 610 comprising access control data 620 and a cryptographic hash 630 may be transmitted by firmware to the access control unit 140 that may authenticate the received sequence by employing a hash calculation module 802 to compute a value of a certain cryptographic hash function of the sequence using a cryptographic key 640 shared with the firmware. The cryptographic key 640 may be obtained from a key management system 650 or from software running in the programming unit. In certain implementations, the access control unit 140 may further comprise a lightweight hash calculation module 614 for validating the access control rules at each access request, as described in more details herein above with references to FIG. 8A.

In certain implementations, the access control unit 140 may comprise one or more configuration registers that may only be modified by the above described procedure involving the authentication of the received message by computing a value of a certain cryptographic hash function of the received message using a cryptographic key 640 shared with the firmware. As schematically illustrated by FIG. 10B, the above described secure programming interface can be used for programming both the access control data (e.g., a firewall look-up table (FW LUT) stored in the secure memory 170) and one or more internal registers 175. In certain implementations, the above described integrity check procedures may be periodically performed to validate the contents of the secure memory 170 and/or the internal registers 175.

In certain implementations, the fixed part of the access control data (e.g., a first portion of a firewall look-up table (FW LUT)) programmable by firmware as part of the boot sequence of SoC 100 may be stored in a first secure memory location 170A, and the run-time programmable part of the access control data (e.g., a second portion of the FW LUT) may be stored in a second secure memory location 170B, as schematically illustrated by FIG. 10C.

The first secure memory location 170A may be protected from run-time updates, and hence may only be programmable by firmware as part of the boot sequence of SoC 100. A pre-computed sequence 710 comprising access control data 720 and a cryptographic hash 730 may be transmitted by firmware to the access control unit 140 that may authenticate the received sequence 710 by computing a value of a certain cryptographic hash function of the sequence using a first cryptographic key 740 that was utilized to sign or hash the firmware being loaded. The first cryptographic key 740 may be obtained from a key management system 750 or other key sources as described in more details herein above.

The second secure memory location 170B may be run-time programmable by the programming agent represented by a trusted execution environment (TEE) 150. The programming agent 150 may transmit a programming sequence 760 and a cryptographic hash 770 to the access control unit 140 that may authenticate the received sequence by computing a value of a certain cryptographic hash function of the sequence using the second cryptographic key 780 shared with the programming agent 150. The second cryptographic key 780 may be obtained from the key management system 750.

In certain implementations, the access control unit may be configured to interpret the boot-time programmable access control data as having priority over the run-time programmable access control data. In an illustrative example, the access control unit may be configured to disallow any access attempts violating a certain access authorization that has been set by the boot-time programmable access control data, even if the run-time programmable access control data overrides the access authorization.

In certain implementations, an example SoC 100 operating in accordance with one or more aspects of the present disclosure may comprise two or more access control units 140A-140Z comprised by or coupled to the interconnect 110, as schematically illustrated by FIG. 11. In the illustrative example of FIG. 11, the interconnect 110 is represented by a NoC, and each access control unit 140A-140Z is represented by a firewall configured to enforce an access control policy while transporting data frames and/or electric signals between a plurality of initiator devices 120A-120Z and a plurality of target devices 130A-130Z. Alternatively, the access control unit 140 may be implemented by a memory management unit (MMU) configured to enforce the access control in view of access control data comprising one or more address translation rules, while translating virtual addresses to physical addresses referencing a memory location on a target device.

Multiple access control units 140 may receive programming sequences from a programming agent 150. In various illustrative examples, the programming agent 150 may be represented by an on-chip or off-chip agent communicatively coupled to the access control units 140.

In certain implementations, each access control unit 140 may share, with the programming agent 150, a cryptographic key 810A-810Z to be used for authenticating the programming sequences received by the access control unit, by calculating cryptographic hash values 310A-310Z, as described in more details herein above. Alternatively, the same cryptographic key may be shared between two or more access control units 140 of the SoC 100 and the programming agent 150. The cryptographic key may be obtained by the access control units 140 and the programming agent 150 from an on-chip or off-chip key management system.

Each of the access control units 140 may synchronize, with the programming agent 150, a state variable 820A-820Z upon the reset (e.g., within the boot sequence of the SoC 100) and/or during the operation. The state variable may be independently updated by each party based on the previous value and the actual state of the access control data stored by the corresponding access control unit 140. The state variable may be used in calculating the cryptographic hash of the programming sequences being transmitted by the programming agent 150, as described in more details herein above.

As noted herein above, the access control data may be represented by a plurality of access control rules. Each access control rule may comprise an identifier of the initiator device, an identifier of the target device, a target device address range, access permissions (e.g., “read,” “write,” and/or “execute” “secure” or “debug”), and/or an access authorization type (e.g., “allow” or “deny”).

In the illustrative example of FIG. 12A, an access control rule 910 may comprise an identifier of the initiator device 920, an access permission field 930, an identifier 940 of the start of an address space region on the target device, and the region size 950. In various illustrative examples, the identifiers of the initiator device 920 may be represented by a network address or by an identifier from an arbitrarily selected name space. In certain implementations, a device (initiator or target) identifier may identify two or more devices. The access permission field 930 may comprise one or more bits encoding the read, write, and/or execute access permissions. The target region may correspond to a memory block comprising a plurality of memory pages.

In the illustrative example of FIG. 12B, an access control rule 960 may comprise a target address 965, a target sub-region selector 970, a target sub-region size 975, a priority level 980, identifiers of the initiator device 985, 990, and a user-defined field 995.

Each of the initiator device identifiers 985, 990 may identify one or more identifier devices associated with a pre-defined set of access permissions to the target device. In an illustrative example, the initiator device identifier 985 may identify one or more identifier devices having the read access permission to the target device, while the initiator device identifier 990 may identify one or more identifier devices having the write access permission to the target device.

The target address field 965 may specify the starting address of the address space region. The target sub-region selector field 970 may specify a sub-region of the address space region, thus allowing to define non-contiguous address space regions. The target sub-region size 975 field may specify the size of the address space sub-region.

In certain implementations, the access control rules may be assigned different priority values. The access control unit may be configured to interpret access control rules associated with higher priority levels as overriding access control rules associated with lower priority levels. Priorities of the access control rules may be specified by the priority level field 980.

In various illustrative examples, access control policies may comprise multiple access control rules defined on various target device address ranges. In the illustrative example of FIG. 13A, the address ranges 1003, 1005, and 1007 are not overlapping as they are mapped on different ranges of the address space 1001. Thus, three or more independent access control rules may be defined on the address ranges 1003, 1005, and 1007.

A more compact rule set may be defined using a plurality of overlapping address ranges. In the illustrative example of FIG. 13B, the address ranges 1053, 1055, and 1057 are overlapping and hence define five distinct regions 1061, 1063, 1065, 1067, and 1069 within the address space 1001. In certain implementations, the access control rules defined on the address ranges 1053, 1055, and 1057 may be assigned different priority values, so that the access control rule defined on an address range having a higher priority value would override access control rules defined on other address ranges. In certain implementations, a default address range 1057 having the lowest priority may be defined to include all other defined address ranges, thus precluding the rule set from having undefined address ranges (“holes”). In an illustrative example, an access rule universally denying access to all initiator devices may be associated with the default address range 1057, so that the other access rules may selectively allow access to certain address ranges by certain initiator devices.

FIG. 14A depicts a flow diagram of an example method 1200A for authenticating incoming messages comprising access control data by an access control unit operating in accordance with one or more aspects of the present disclosure. Method 1200A and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose and/or specialized processing devices. Two or more functions, routines, subroutines, or operations of method 1200A may be performed in parallel or in an order that may differ from the order described above. In certain implementations, method 1200A may be performed by a single processing thread. Alternatively, method 1200A may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method. In an illustrative example, the processing threads implementing method 1200A may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms). Alternatively, the processing threads implementing method 1200A may be executed asynchronously with respect to each other. In an illustrative example, method 1200A may be performed by computing device 1000 described herein below with references to FIG. 18.

Referring to FIG. 14A, at block 1210, a SoC implementing the method may receive, from a programming agent, a message comprising a programming sequence and a cryptographic hash value associated with the programming sequence. The programming sequence may comprise one or more access control data items (e.g., access control rules). The cryptographic hash value may be produced by applying a certain cryptographic hash function to the programming sequence, a cryptographic key pre-shared between the programming agent and the access control unit, and a state variable that reflects the state of communications between the programming agent and the access control unit, as described in more details herein above.

At block 1212, the SoC may authenticate the message by computing a value of the cryptographic hash function using the shared cryptographic key and optionally using the state variable. The cryptographic key may be obtained from an on-chip or off-chip key management system, as described in more details herein above.

Responsive to determining, at block 1214, that the calculated cryptographic hash determined by applying the cryptographic hash function to the received message matches the cryptographic hash received within the message, the processing may continue at block 1216. Otherwise, if the calculated cryptographic hash differs from the received cryptographic hash, a communication error with the programming agent may be signaled at block 1224, and the programming sequence may be discarded.

At block 1216, the SoC may store the received access control data items in a memory data structure residing in a secure memory. In certain implementations, the memory data structure may be represented by a look-up table comprising a plurality of access control rules. Each access control rule may comprise an identifier of the initiator device, an identifier of the target device, a target device address range, an access permission (e.g., “read,” “write,” and/or “execute”), and/or an access authorization type (e.g., “allow” or “deny”), as described in more details herein above.

At block 1218, the SoC may validate the integrity of the access control data stored by the access control unit, by comparing a stored reference value with a value of a cryptographic hash function of the access control data calculated by the access control unit, as described in more details herein above.

Responsive to determining, at block 1220, that the stored reference value matches the value of the cryptographic hash function of the access control data calculated by the access control unit, the processing may continue at block 1222. Otherwise, an error may be signaled at block 1224, and one or more implementation-specific recovery actions may be performed.

At block 1222, the access control unit may control, using the access control data, access by initiator devices to target devices or target addresses. In certain implementations, the access control unit may be implemented by a network-on-chip (NoC) comprising a filtering firewall configured to enforce the access control using the access control data while transporting control and data frames or electric signals between initiator devices and target devices and back to initiators, as described in more details herein above. Alternatively, the access control unit may be implemented at the ingress to a network in or functionally near an MMU configured to enforce the access control based on the access control data while translating virtual addresses to physical memory addresses on various target devices, as described in more details herein above.

Responsive to completing operations described with reference to block 1222, the method may loop back to block 1218, as the integrity of the stored access control data may be validated repeatedly, e.g., responsive to detecting a triggering event or responsive to expiration of a timeout.

FIG. 14B depicts a flow diagram of an example method 1200B for authenticating incoming messages comprising access control data by an access control unit operating in accordance with one or more aspects of the present disclosure. Method 1200B and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose and/or specialized processing devices. Two or more functions, routines, subroutines, or operations of method 1200B may be performed in parallel or in an order that may differ from the order described above. In certain implementations, method 1200B may be performed by a single processing thread. Alternatively, method 1200B may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method. In an illustrative example, the processing threads implementing method 1200B may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms). Alternatively, the processing threads implementing method 1200B may be executed asynchronously with respect to each other. In an illustrative example, method 1200B may be performed by computing device 1000 described herein below with references to FIG. 18.

Referring to FIG. 14B, at block 1230, a SoC implementing the method may receive, from a programming agent, a message comprising a programming sequence. The programming sequence may comprise one or more access control data items (e.g., access control rules). The SoC may further receive a cryptographic hash value associated with the message. The cryptographic hash value may be produced by applying a certain cryptographic hash function to the programming message and a state variable, a cryptographic key pre-shared between the programming agent and the access control unit, and the state variable, as described in more details herein above. The state variable may reflect the state of communications between the access control unit and the programming agent that has initiated the message. The state variable value may be synchronized by the programming agent and the access control unit at the beginning of each session (e.g., within the boot sequence)), and then may be independently updated by each party based on the previous value and the actual state of the access control data stored by the access control unit, as described in more details herein above.

At block 1232, the SoC may authenticate the message by computing, using the shared cryptographic key, a value of the cryptographic hash function of the incoming message and the state variable, as described in more details herein above.

Responsive to determining, at block 1234, that the calculated cryptographic hash determined by applying the cryptographic hash function to the received message matches the cryptographic hash received within the message, the processing may continue at block 1236. Otherwise, if the calculated cryptographic hash differs from the received cryptographic hash, a communication error with the programming agent may be signaled at block 1235, and the incoming message may be discarded.

At block 1236, the SoC may store the received access control data items in a memory data structure residing in a secure memory. In certain implementations, the memory data structure may be represented by a look-up table comprising a plurality of access control rules. Each access control rule may comprise an identifier of the initiator device, an identifier of the target device, a target device address range, an access permission (e.g., “read,” “write,” and/or “execute”), and/or an access authorization type (e.g., “allow” or “deny”), as described in more details herein above.

At block 1238, the SoC may update the value of the state variable using certain bits of the calculated cryptographic hash value (e.g., bits 128-143 of the cryptographic hash), as described in more details herein above.

At block 1240, the access control unit may control, using the access control data, access by initiator devices to target devices or target addresses. In certain implementations, the access control unit may be implemented by a network-on-chip (NoC) comprising a filtering firewall configured to enforce the access control using the access control data while transporting control and data frames or electric signals between initiator devices and target devices and back to initiators, as described in more details herein above. Alternatively, the access control unit may be implemented at the ingress to a network in or functionally near an MMU configured to enforce the access control based on the access control data while translating virtual addresses to physical memory addresses on various target devices, as described in more details herein above.

FIG. 14C depicts a flow diagram of an example method 1200C for authenticating incoming messages comprising access control data by an access control unit operating in accordance with one or more aspects of the present disclosure. Method 1200C and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose and/or specialized processing devices. Two or more functions, routines, subroutines, or operations of method 1200C may be performed in parallel or in an order that may differ from the order described above. In certain implementations, method 1200C may be performed by a single processing thread. Alternatively, method 1200C may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method. In an illustrative example, the processing threads implementing method 1200C may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms). Alternatively, the processing threads implementing method 1200C may be executed asynchronously with respect to each other. In an illustrative example, method 1200C may be performed by computing device 1000 described herein below with references to FIG. 18.

Referring to FIG. 14C, at block 1250, a SoC implementing the method may receive, from a programming agent, a message comprising a programming sequence. The programming sequence may comprise one or more access control data items (e.g., access control rules). The SoC may further receive a cryptographic hash value associated with the message. The cryptographic hash value may be produced by applying a certain cryptographic hash function to the programming message, a cryptographic key pre-shared between the programming agent and the access control unit, and an optional state variable reflecting the state of communications between the access control unit and the programming agent that has initiated the message, as described in more details herein above.

At block 1252, the SoC may authenticate the message by computing a value of the cryptographic hash function of the incoming message using the shared cryptographic key, as described in more details herein above.

Responsive to determining, at block 1254, that an intermediate cryptographic hash value (e.g., the output of the first round of the HMAC calculation) determined by applying a cryptographic hash function to the session key value matches the stored value of the cryptographic key signature, the processing may continue at block 1256. Otherwise, if the intermediate cryptographic hash value differs from the stored cryptographic key signature, a communication error with the programming agent may be signaled at block 1257, and the incoming message may be discarded.

Responsive to determining, at block 1256, that the calculated cryptographic hash determined by applying the cryptographic hash function to the received message matches the cryptographic hash received within the message, the processing may continue at block 1258. Otherwise, if the calculated cryptographic hash differs from the received cryptographic hash, a communication error with the programming agent may be signaled at block 1257, and the incoming message may be discarded.

At block 1258, the SoC may store the received access control data items in a memory data structure residing in a secure memory. In certain implementations, the memory data structure may be represented by a look-up table comprising a plurality of access control rules. Each access control rule may comprise an identifier of the initiator device, an identifier of the target device, a target device address range, an access permission (e.g., “read,” “write,” and/or “execute”), and/or an access authorization type (e.g., “allow” or “deny”), as described in more details herein above.

At block 1260, the access control unit may control, using the access control data, access by initiator devices to target devices or target addresses. In certain implementations, the access control unit may be implemented by a network-on-chip (NoC) comprising a filtering firewall configured to enforce the access control using the access control data while transporting control and data frames or electric signals between initiator devices and target devices and back to initiators, as described in more details herein above. Alternatively, the access control unit may be implemented at the ingress to a network in or functionally near an MMU configured to enforce the access control based on the access control data while translating virtual addresses to physical memory addresses on various target devices, as described in more details herein above.

FIG. 14D depicts a flow diagram of an example method 1200D for authenticating incoming messages comprising access control data by an access control unit operating in accordance with one or more aspects of the present disclosure. Method 1200D and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose and/or specialized processing devices. Two or more functions, routines, subroutines, or operations of method 1200D may be performed in parallel or in an order that may differ from the order described above. In certain implementations, method 1200D may be performed by a single processing thread. Alternatively, method 1200D may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method. In an illustrative example, the processing threads implementing method 1200D may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms). Alternatively, the processing threads implementing method 1200D may be executed asynchronously with respect to each other. In an illustrative example, method 1200D may be performed by computing device 1000 described herein below with references to FIG. 18.

Referring to FIG. 14D, at block 1270, a SoC implementing the method may receive, from a programming agent, a session key and a session key signature produced by applying a certain cryptographic hash function to the session key using a hardcoded cryptographic key (NETLIST_KEY), as described in more details herein above.

At block 1272, the SoC may authenticate the session key by computing a value of the cryptographic hash function of the received session key using the harcoded cryptographic key, as described in more details herein above.

Responsive to determining, at block 1274, that the calculated cryptographic hash determined by applying the cryptographic hash function to the received session key matches the received cryptographic hash value, the processing may continue at block 1276. Otherwise, if the calculated cryptographic hash differs from the received cryptographic hash, a communication error with the programming agent may be signaled at block 1275, and the incoming message may be discarded.

At block 1276, the SoC may store the session key and the session key signature in a protected memory.

At block 1278, the SoC may receive, from the programming agent, a message comprising a programming sequence. The programming sequence may comprise one or more access control data items (e.g., access control rules). The SoC may further receive a cryptographic hash value associated with the message. The cryptographic hash value may be produced by applying a certain cryptographic hash function to the programming message, a cryptographic key pre-shared between the programming agent and the access control unit, and an optional state variable reflecting the state of communications between the access control unit and the programming agent that has initiated the message, as described in more details herein above.

At block 1280, the SoC may authenticate the message by computing a value of the cryptographic hash function of the incoming message using the shared cryptographic key, as described in more details herein above.

Responsive to determining, at block 1282, that the calculated cryptographic hash determined by applying the cryptographic hash function to the received message matches the cryptographic hash received within the message, the processing may continue at block 1284. Otherwise, if the calculated cryptographic hash differs from the received cryptographic hash, a communication error with the programming agent may be signaled at block 1275, and the incoming message may be discarded.

At block 1284, the SoC may store the received access control data items in a memory data structure residing in a secure memory. In certain implementations, the memory data structure may be represented by a look-up table comprising a plurality of access control rules. Each access control rule may comprise an identifier of the initiator device, an identifier of the target device, a target device address range, an access permission (e.g., “read,” “write,” and/or “execute”), and/or an access authorization type (e.g., “allow” or “deny”), as described in more details herein above.

At block 1286, the access control unit may control, using the access control data, access by initiator devices to target devices or target addresses. In certain implementations, the access control unit may be implemented by a network-on-chip (NoC) comprising a filtering firewall configured to enforce the access control using the access control data while transporting control and data frames or electric signals between initiator devices and target devices and back to initiators, as described in more details herein above. Alternatively, the access control unit may be implemented at the ingress to a network in or functionally near an MMU configured to enforce the access control based on the access control data while translating virtual addresses to physical memory addresses on various target devices, as described in more details herein above. depicts a flow diagram of an example method 1300 for authenticating incoming messages comprising access control data by an access control unit comprising a firmware-only programmable storage and a run-time programmable storage, in accordance with one or more aspects of the present disclosure. Method 1300 and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose and/or specialized processing devices. Two or more functions, routines, subroutines, or operations of method 1300 may be performed in parallel or in an order that may differ from the order described above. In certain implementations, method 1300 may be performed by a single processing thread. Alternatively, method 1300 may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method. In an illustrative example, the processing threads implementing method 1300 may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms). Alternatively, the processing threads implementing method 1300 may be executed asynchronously with respect to each other. In an illustrative example, method 1300 may be performed by computing device 1000 described herein below with references to FIG. 18.

Referring to FIG. 15, at block 1310, a SoC implementing the method may receive, from a first programming agent, a first message comprising a programming sequence and a value of a certain cryptographic hash function of the programming sequence. In certain implementations, the message may be received within the boot sequence of the SoC. The programming sequence may comprise one or more access control data items (e.g., access control rules). The cryptographic hash value may be produced by applying a certain cryptographic hash function to the programming sequence, a cryptographic key pre-shared between the first programming agent and the access control unit, and a state variable that reflects the state of communications between the programming agent and the access control unit, as described in more details herein above.

At block 1320, the SoC may authenticate the first message by computing a cryptographic hash function using the cryptographic key shared with the first programming agent, as described in more details herein above. The cryptographic key may be obtained from an on-chip or off-chip key management system, as described in more details herein above.

Responsive to determining, at block 1330, that the calculated cryptographic hash determined by applying the cryptographic hash function to the first message matches the cryptographic hash received within the first message, the processing may continue at block 1340. Otherwise, if the calculated cryptographic hash differs from the received cryptographic hash, a communication error with the programming agent may be signaled at block 1335, and the programming sequence may be discarded.

At block 1340, the SoC may store the received access control data items in a first memory data structure residing in a first secure memory location. In certain implementations, the first secure memory location may be protected from run-time updates, and hence may only be programmed by firmware within the boot sequence of the SoC, as described in more details herein above.

At block 1350, the SoC may receive, from a second programming agent, a second message comprising a programming sequence and a value of a certain cryptographic hash function of the programming sequence. In certain implementations, the message may be received at run-time. The programming sequence may comprise one or more access control data items (e.g., access control rules). The signing may be produced by applying a certain cryptographic hash function to the programming sequence, a cryptographic key pre-shared between the second programming agent and the access control unit, and a state variable that reflects the state of communications between the second programming agent and the access control unit, as described in more details herein above.

At block 1360, the SoC may authenticate the second message by computing a cryptographic hash function using the cryptographic key shared with the second programming agent, as described in more details herein above.

Responsive to determining, at block 1370, that the calculated cryptographic hash value determined by applying the cryptographic hash function to the second message matches the cryptographic hash received within the second message, the processing may continue at block 1380. Otherwise, if the calculated cryptographic hash differs from the received cryptographic hash, a communication error with the programming agent may be signaled at block 1335, and the programming sequence may be discarded.

At block 1380, the SoC may store the received access control data items in a second memory data structure residing in a second secure memory location. In certain implementations, the second secure memory location may be programmable at run-time, as described in more details herein above.

At block 1390, the SoC may validate the integrity of the access control data stored by the access control unit, by comparing a stored reference value with a value of a cryptographic hash function of the access control data calculated by the access control unit, as described in more details herein above.

Responsive to determining, at block 1392, that the stored reference value matches the value of the cryptographic hash function of the access control data calculated by the access control unit, the processing may continue at block 1395. Otherwise, an error may be signaled at block 1335, and one or more implementation-specific recovery actions may be performed.

At block 1395, the access control unit may control, using the access control data, access by initiator devices to target devices. In certain implementations, the access control unit may be configured to interpret the boot-time programmable access control data as having priority over the run-time programmable access control data. In an illustrative example, the access control unit may be configured to disallow any access attempts violating a certain access authorization that has been set by the boot-time programmable access control data, even if the run-time programmable access control data overrides the access authorization, as described in more details herein above.

Responsive to completing operations described with reference to block 1395, the method may loop back to block 1390, as the integrity of the stored access control data may be validated repeatedly, e.g., responsive to detecting a triggering event or responsive to expiration of a timeout.

FIG. 6 depicts a flow diagram of an example method for validating the contents of a secure memory storing access control data, in accordance with one or more aspects of the present disclosure. Method 1400 and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose and/or specialized processing devices. Two or more functions, routines, subroutines, or operations of method 1400 may be performed in parallel or in an order that may differ from the order described above. In certain implementations, method 1400 may be performed by a single processing thread. Alternatively, method 1400 may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method. In an illustrative example, the processing threads implementing method 1400 may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms). Alternatively, the processing threads implementing method 1400 may be executed asynchronously with respect to each other. In an illustrative example, method 1400 may be performed by computing device 1000 described herein below with references to FIG. 18.

Referring to FIG. 16, at block 1410, a SoC implementing the method may receive, from a programming agent, a message comprising a programming sequence and a value of a certain cryptographic hash function of the programming sequence. The programming sequence may comprise one or more access control data items (e.g., access control rules). The cryptographic hash may be produced by applying a certain cryptographic hash function to the programming sequence, a cryptographic key pre-shared with the access control unit, and a state variable that reflects the state of communications between the programming agent and the access control unit, as described in more details herein above.

At block 1420, the SoC may store the received access control data items in a memory data structure residing in a secure memory, as described in more details herein above.

At block 1430, the SoC may validate the contents of the secure memory by comparing a stored reference value with a calculated value of a cryptographic hash function of the contents of the secure memory. In an illustrative example, the access control unit may calculate a value of a certain cryptographic hash function of the contents of the secure memory and compare the calculated cryptographic hash with a reference cryptographic hash stored in a secure register of the SoC. The reference cryptographic hash may be updated responsive to detecting every legitimate modification of the contents of the secure memory, hence a difference between the calculated cryptographic hash and the stored reference cryptographic hash may indicate an unauthorized modification of the contents of the secure memory. Responsive to detecting an unauthorized modification of the contents of the secure memory, the access control unit may signal a configuration error.

At block 1440, the access control unit may control, using the access control data, access by initiator devices to target devices, as described in more details herein above.

In various illustrative examples, a SoC comprising an access control unit operating in accordance with one or more aspects of the present disclosure may be utilized by general purpose and specialized computing devices that are employed for processing of information that needs to be protected from unauthorized access or tampering, including, e.g., digital rights management (DRM) applications, processing of financial information such as credit card or account numbers, receiving and handling the data that originated by various peripheral devices, such as still image or video cameras, microphones, etc.

FIG. 17 illustrates a high-level component diagram of a video processing system that comprises an on-chip access control unit operating in accordance with one or more aspects of the present disclosure. The example video processing system comprises an interconnect 1610 that may, in various illustrative examples, be provided by a NoC. Coupled to the interconnect 1610 are a digital video receiver 1620, a graphic processing unit (GPU) 1630, a crypto module 1640, a memory controller 1650, and a display interface 1660.

The example video processing system further comprises access control units 1670, 1680 that are configured to control access by various initiator devices, including the digital video receiver 1620 and the GPU 1630, to the memory coupled to the memory controller 1650 and/or to the video display devices coupled to the display interface 1660. In various illustrative examples, access control units 1670, 1680 may reside within the interconnect 110 or be coupled to the interconnect 110 on the initiator or target device side.

The access control units 1670, 1680 may be programmed by an on-chip or an external programming agent that may transmit messages comprising access control data items (e.g., access control rules). In accordance with one or more aspects of the present disclosure, the access control units 1670, 1680 may share, with one or more programming agents, one or more cryptographic keys that may be used for authentication of programming sequences transmitted by the programming agent 150 of FIG. 1. The cryptographic key may be obtained by the access control unit 140 of FIG. 1 and the programming agent 150 from an on-chip or off-chip key management system.

In an illustrative example, the digital video receiver 1620 may transmit an encrypted video stream to the memory via the memory controller 1650. The encrypted video stream may then be retrieved by the crypto module 1640 which may decrypt the encrypted data to produce a decrypted video stream. The crypto module may then transmit the decrypted data to the memory via the memory controller 1650. The GPU 1630 may then securely retrieve the decrypted video stream from the memory, process the video stream (e.g., decode, resize, crop, and/or rotate one or more video frames) and then transmit one or more video frames to a display device via the display interface 1660.

The access control unit 1670 may be programmed to prevent unauthorized access to the unencrypted video stream stored in the memory by only allowing read access to the memory regions that store the unencrypted video stream by the GPU 1630 and potential write access to the crypto module 1640. The access control unit 1680 may be programmed to prevent unauthorized access to the unencrypted video stream stored by the display interface 1660 by only allowing access to the display interface by the GPU 1630. In accordance with one or more aspects of the present disclosure, the access control unit 1670 and/or the access control unit 1680 may be securely programmed with the access control rules within the boot sequence of the video processing system 1600 and/or at run-time, as described in more details herein above. Various other components of the video processing system 1600 (not shown in FIG. 17) that are not part of the secure video pipeline (e.g., the CPU) may be denied access to the unencrypted video stream.

FIG. 18 illustrates a diagrammatic representation of a computing device 1000 which may incorporate the SoC described herein and within which a set of instructions, for causing the computing device to perform the methods described herein, may be executed. Computing device 1000 may be connected to other computing devices in a LAN, an intranet, an extranet, and/or the Internet. The computing device may operate in the capacity of a server machine in client-server network environment. The computing device may be provided by a personal computer (PC), a set-top box (STB), a server, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single computing device is illustrated, the term “computing device” shall also be taken to include any collection of computing devices that individually or jointly execute a set (or multiple sets) of instructions to perform the methods described herein.

The example computing device 1000 may include a processing device 1002, which in various illustrative examples may be provided by the SoC 100 of FIG. 1. The example computing device 1000 may further comprise a main memory 1004 (e.g., synchronous dynamic random access memory (DRAM), read-only memory (ROM)), a static memory 1006 (e.g., flash memory and a data storage device 1018), which may communicate with each other via a bus 1030.

The processing device 1002 may be configured to execute methods 1200A, 1300 for authenticating incoming messages comprising access control data by an access control unit, and/or method 1400 for validating the contents of a secure memory storing access control data, in accordance with one or more aspects of the present disclosure for performing the operations and steps described herein.

The example computing device 1000 may further include a network interface device 1008 which may communicate with a network 1020. The example computing device 1000 also may include a video display unit 1010 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 1012 (e.g., a keyboard), a cursor control device 1014 (e.g., a mouse) and an acoustic signal generation device 1016 (e.g., a speaker). In one embodiment, the video display unit 1010, the alphanumeric input device 1012, and the cursor control device 1014 may be combined into a single component or device (e.g., an LCD touch screen).

The data storage device 1018 may include a computer-readable storage medium 1028 on which may be stored one or more sets of instructions (e.g., instructions of methods 1200A, 1300, and/or 1400, in accordance with one or more aspects of the present disclosure) implementing any one or more of the methods or functions described herein. Instructions implementing methods 1200A, 1300, and/or 1400 may also reside, completely or at least partially, within the main memory 1004 and/or within the processing device 1002 during execution thereof by the example computing device 1000, hence the main memory 1004 and the processing device 1002 may also constitute or comprise computer-readable media. The instructions may further be transmitted or received over the network 1020 via the network interface device 1008.

While the computer-readable storage medium 1028 is shown in an illustrative example to be a single medium, the term “computer-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database and/or associated caches and servers) that store the one or more sets of instructions. The term “computer-readable storage medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform the methods described herein. The term “computer-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media.

Unless specifically stated otherwise, terms such as “updating”, “identifying”, “determining”, “sending”, “assigning”, or the like, refer to actions and processes performed or implemented by computing devices that manipulates and transforms data represented as physical (electronic) quantities within the computing device's registers and memories into other data similarly represented as physical quantities within the computing device memories or registers or other such information storage, transmission or display devices. Also, the terms “first,” “second,” “third,” “fourth,” etc. as used herein are meant as labels to distinguish among different elements and may not necessarily have an ordinal meaning according to their numerical designation.

Examples described herein also relate to an apparatus for performing the methods described herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general purpose computing device selectively programmed by a computer program stored in the computing device. Such a computer program may be stored in a computer-readable non-transitory storage medium.

The methods and illustrative examples described herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used in accordance with the teachings described herein, or it may prove convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will appear as set forth in the description above.

The above description is intended to be illustrative, and not restrictive. Although the present disclosure has been described with references to specific illustrative examples, it will be recognized that the present disclosure is not limited to the examples described. The scope of the disclosure should be determined with reference to the following claims, along with the full scope of equivalents to which the claims are entitled. 

What is claimed is:
 1. A system-on-chip (SoC), comprising: an access control unit to: receive a message comprising an access control data item; validate the message using a value of a message digest function of contents of the message and a value of a state variable reflecting a state of communications between the access control unit and a programming agent that has initiated the message, wherein the value of the state variable is derived from a previous value of the message digest function calculated within a current communication session between the access control unit and the programming agent; update the state variable using the value of the message digest function of the contents of the message; and control, using the access control data item, access by an initiator device to a target device.
 2. The SoC of claim 1, wherein the message digest function is provided by a cryptographic hash function.
 3. The SoC of claim 1, wherein the access control data item comprises at least one of: an access control rule or an address translation rule.
 4. The SoC of claim 3, wherein the access control rule comprises at least one of: an identifier of the initiator device, an identifier of the target device, an address range, an access permission, or an access authorization type.
 5. The SoC of claim 1, wherein the access control unit is implemented by a network-on-chip (NoC) comprising a filtering firewall to enforce access control using the access control data item while transporting at least one of data frames or electric signals between the initiator device and the target device.
 6. The SoC of claim 1, wherein the access control unit is implemented by a memory management unit (MMU) to enforce access control using the access control data item while translating a first address to a second address referencing a memory location on the target device.
 7. A system-on-chip (SoC), comprising: an access control unit to: receive an access control programming message comprising an access control data item; validate the access control programming message using value of a message digest function of contents of the access control programming message, wherein the message digest function is computed using a session key, and wherein validating the access control programming message comprises validating the session key using an intermediate output of the message digest function; and control, using the access control data item, access by an initiator device to a target device.
 8. The SoC of claim 7, wherein the message digest function is provided by a cryptographic hash function.
 9. The SoC of claim 7, wherein the access control data item comprises at least one of: an access control rule or an address translation rule.
 10. The SoC of claim 7, wherein the access control programming message further comprises a target address for storing the access control data item.
 11. The SoC of claim 7, wherein the access control unit is further to: receive, prior to receiving the access control programming message, a session key and a session key signature; and validate the session key by comparing the session key signature with a value of the message digest function of the session key, wherein the message digest function is computed using a hardcoded key.
 12. The SoC of claim 7, wherein validating the access control programming message comprises validating the session key using an intermediate output of the message digest function.
 13. The SoC of claim 7, wherein the access control unit is implemented by a network-on-chip (NoC) comprising a filtering firewall to enforce access control using the access control data item while transporting at least one of data frames or electric signals between the initiator device and the target device.
 14. The SoC of claim 7, wherein the access control unit is implemented by a memory management unit (MMU) to enforce access control using the access control data item while translating a first address to a second address referencing a memory location on the target device.
 15. A system-on-chip (SoC), comprising: an access control unit comprising a key register for storing a key value and a secure memory for storing access control data, the access control unit to: receive a session key and a session key signature; validate the session key by comparing the session key signature with a value of a message digest function of the session key, wherein the message digest function is computed using the key value stored by the key register; receive an access control programming message comprising an access control data item and an access control data item signature; validate the access control programming message by comparing the access control data item signature with a value of the message digest function of contents of the access control programming message, wherein the message digest function is computed using the session key; store the access control data item in the secure memory; and control, using the access control data item, access by an initiator device to a target device.
 16. The SoC of claim 15, wherein the message digest function is provided by a cryptographic hash function.
 17. The SoC of claim 15, further comprising a reset unit to: responsive to detecting a transition into a test mode, clear the key register.
 18. The SoC of claim 15, further comprising a reset unit to: responsive to detecting a transition into a functional mode, load an initial key value into the key register.
 19. The SoC of claim 15, further comprising a reset unit to: responsive to detecting a transition into a functional mode, disable scanning the key register.
 20. The SoC of claim 15, further comprising a reset unit to: responsive to detecting a transition into a functional mode, clear the secure memory storing the access control data.
 21. A method, comprising: receiving, by an access control unit of a system-on-chip (SoC), a message comprising an access control data item; validating the message using a value of a message digest function of contents of the message and a value of a state variable reflecting a state of communications between the access control unit and a programming agent that has initiated the message, wherein the value of the state variable is derived from a previous value of the message digest function calculated within a current communication session between the access control unit and the programming agent; updating the state variable using the value of the message digest function of the contents of the message; and controlling, using the access control data item, access by an initiator device to a target device.
 22. The method of claim 21, wherein the message digest function is provided by a cryptographic hash function.
 23. The method of claim 21, wherein the access control data item comprises at least one of: an access control rule or an address translation rule.
 24. The method of claim 23, wherein the access control rule comprises at least one of: an identifier of the initiator device, an identifier of the target device, an address range, an access permission, or an access authorization type.
 25. A method, comprising: receiving, by an access control unit of a system-on-chip (SoC), an access control programming message comprising an access control data item; validating the access control programming message using a value of a message digest function of contents of the access control programming message, wherein the message digest function is computed using a session key, and wherein validating the access control programming message comprises validating the session key using an intermediate output of the message digest function; and controlling, using the access control data item, access by an initiator device to a target device.
 26. The method of claim 25, wherein the message digest function is provided by a cryptographic hash function.
 27. The method of claim 25, wherein the access control data item comprises at least one of: an access control rule or an address translation rule.
 28. The method of claim 25, wherein the access control programming message further comprises a target address for storing the access control data item.
 29. The method of claim 25, further comprising: receiving, prior to receiving the access control programming message, a session key and a session key signature; and validating the session key by comparing the session key signature with a value of the message digest function of the session key, wherein the message digest function is computed using a hardcoded key.
 30. The method of claim 29, wherein validating the access control programming message comprises validating the session key using an intermediate output of the message digest function.
 31. A method, comprising: receiving, by an access control unit of a system-on-chip (SoC), a session key and a session key signature; validating the session key by comparing the session key signature with a value of a message digest function of the session key, wherein the message digest function is computed using the key value stored by a key register; receiving an access control programming message comprising an access control data item and an access control data item signature; validating the access control programming message by comparing the access control data item signature with a value of the message digest function of contents of the access control programming message, wherein the message digest function is computed using the session key; controlling, using the access control data item, access by an initiator device to a target device.
 32. The method of claim 31, wherein the message digest function is provided by a cryptographic hash function.
 33. The method of claim 31, further comprising: responsive to detecting a transition into a test mode, clearing the key register.
 34. The method of claim 31, further comprising: responsive to detecting a transition into a functional mode, loading an initial key value into the key register.
 35. The method of claim 31, further comprising: responsive to detecting a transition into a functional mode, disabling scanning the key register.
 36. The method of claim 31, further comprising a reset unit to: responsive to detecting a transition into a functional mode, clearing a secure memory storing the access control data. 